According to "ICT Journal" ("In Switzerland, cyber-attacks are increasing more than in the world") - a journal specialising in writing about IT business - the number of cyber-attacks has increased by more than 50% in the world in 2021. For Switzerland, we see an increase of 65% compared to 2020, especially in the following sectors:

  •  Healthcare (+107%),
  • Banking/Finance (+98%)
  • Government/defence (+86%).

 

The particularity of these attacks lies in the fact that they are categorized as "ransomware". These are, for the most part, opportunistic attacks and take advantage of the low level of maturity of their victims in terms of digital security.

 

What is ransomware?

Ransomware is a malicious program designed to obtain payment of a ransom from the victim. In a ransomware attack, the hacker reversibly disables the victim's computer or information system. In practice, most ransomware uses cryptographic mechanisms to encrypt the data on the computer or system, making it impossible to access or use. The hacker then sends an unencrypted message to the victim, offering to provide the means to decrypt the data in exchange for a ransom payment.

 

What is the goal?

The goal is to extort money from the victim in exchange for the promise (not always kept) of regaining access to the corrupted data. Some attacks are just aimed at damaging the victim's system to cause operational losses and damage to their image.

It is possible to protect oneself from this type of attacks, to do so, the various organisations specialized in cybersecurity have set up several tasks to assist organisations and individuals in protecting their systems. Below you will find a non-exhaustive list of measures to implement in order to avoid ransomware attacks:

 

Regular data backup

All data should be backed up regularly, including data on file servers, infrastructure, and business critical applications (e.g., online banking systems, cloud-based data storage, etc.) This is to keep in mind that these backups can also be affected by ransomware. Indeed, more and more cybercriminals are trying to attack backups to limit the possibility of a victim recovering their data, thus maximizing their chances of paying the ransom. These backups, at least for the most critical ones, should be disconnected from information systems to prevent them from being encrypted like other files. To do this, it is recommended to use a cold storage solution such as an external hard drive or tape. Backups can be protected from system infections and critical data is preserved when business resumes.

 

Software and system updates

Unpatched vulnerabilities in operating systems or software that exist on information systems can be used to infect systems or facilitate the spread of infections. The publishers of these solutions regularly publish updates including security patches. It is essential to install them in a short time according to a controlled process. If this is not possible, for example for commercial reasons, isolation measures should be imposed on the concerned systems. Particular attention must be paid to the software installed on the user workstations (web browsers, office suites, PDF readers, multimedia readers, etc.). It is therefore important to foresee the life span of the hardware and software present in the information system to keep it up to date.

 

Use and maintenance of antivirus software

Nowadays, antivirus software is still necessary to defend against ransomware on exposed resources (e.g., workstations, file servers, etc.). These tools are not guaranteed to protect your entity from unknown ransomware, but in most cases, they can prevent compromise and avoid encryption of your files. However, for these tools to be effective, it is important to frequently update the software signature and engine, and to regularly check the software's file storage for known malware.

 

Information system partitioning

Without protection and from a single infected machine, ransomware can spread through your information systems and infect most of the accessible machines. On an unpartitioned computer network, an attacker can control a large number of resources and thus amplify the consequences of the attack. For example, he can access management functions or devices reserved for administrators. To limit the risks of diffusion, it is recommended to set up one or more filtering devices allowing a partitioning between different more or less critical network zones of the information system (e.g., internal server zones, server zones exposed to the Internet, user workstation zone, administrative zone, etc.).

 

Limited user access rights and authorizations to applications

The first good practice is to check that users are not administrators of their workstation. In this way, the installation of software and the involuntary execution of malicious code will be impossible by default. The other good practice to adopt is to dedicate and limit the administration accounts on the resources of the information system and to set up dedicated administration workstations, without Internet access. Indeed, during a compromise, we notice that attackers often try to access these privileged accounts.

 

Controlled Internet access

Ransomware often takes advantage of entities' Internet access to communicate with an infrastructure hosted online by cybercriminals. Moreover, by browsing a compromised website, an employee can unknowingly download the malware and cause it to be automatically installed on his workstation.

 

Employee awareness

Most of the time, the ransomware attack starts by opening a phishing attachment or consulting a malicious web page. Training users in good digital security practices is therefore an essential step in the fight against this threat, even if it cannot be an absolute shield. The goal is also to create or reinforce certain reflexes among users by inviting them to report any suspicious element to the structure’s IT department (e.g., suspicious attachment or USB key, unusual request, etc.).

 

Cyber insurance

Nowadays, cyber insurance contracts allow to support victims of cyber-attacks by providing them with legal assistance as well as financial coverage of the damage (material, immaterial, etc.). However, the market is still in its infancy and needs to continue to develop, especially the jurisprudence concerning the activation or not of exclusion clauses.

 

Setting up a response plan to cyber-attacks

The particularity of ransomware attacks lies in their destabilising effect on organisations. Support functions such as telephony, messaging, but also business applications can be disabled. This means switching to a degraded mode of operation and in some cases, it means going back to pen and paper. The attack usually results in a partial interruption of the business and, in the most severe cases, a total interruption.

 

Cyber crisis communication strategy

To face a ransomware attack, it is essential to determine the global communication strategy of one's company, which should be adopted from the very first hours to limit the impact of the crisis on the image and reputation of the entity, both internally and externally.

 

What to do in case of an attack?

According to the NCSC (National Cyber Security Centre), in the event of an attack, the following actions should be taken: 

  • Limit the damage: immediately disconnect infected systems from the network.
  • Notify the IT department or provider.
  • Identify infected systems: logs (log files) can help identify affected systems.
  • Detecting: Logs from email servers, proxy servers, firewalls, and any security software can be used to determine the extent of the infection and to detect the attackers' URLs and IP addresses.
  • Reporting: The NCSC recommends that a criminal report be filed with the appropriate authorities.
  • Forensic analysis: Decide early on whether you are going to conduct a forensic analysis. This is especially important if you intend to file a criminal complaint.
  • Backup encrypted data: If backup copies have also been encrypted, it is recommended to keep and backup this encrypted data so that it can be decrypted later if a solution can be found.
  • Reinstall affected systems: It is necessary to reinstall the infected systems before starting data recovery. The operating system used should come from a reliable data carrier.

 

Do we have to pay the ransom?

The relevant authorities strongly advise against paying the ransom. There is no guarantee that the criminals will make the encrypted data available again and this is tantamount to feeding the mafia system.

In case of any further questions, please ask our experts Pierre Messus (Linkedin account), Head of IT Risk Advisory and Syrilia Amine (Linkedin account), IT Risk Advisory consultant. They are at your disposal to accompany you in your security steps.